Make comments more accessible for screen readers.

macko1 · macko1 · commit 8df1575a2dba · 2026-05-06T17:04:58.000+02:00
diff --git a/shared/templates/grub2_bootloader_argument/oval.template b/shared/templates/grub2_bootloader_argument/oval.template
@@ -8,6 +8,8 @@
   LOCATIONS WHERE KERNEL ARGS LIVE (per product):
   ================================================
 
+  [VISUAL TABLE: products vs. config file locations, aligned in columns.]
+
   Product         Flags                              Boot entries                       Persistent config        Other
   --------------- ---------------------------------- ---------------------------------- ------------------------ ---------------------------
   RHEL 9+, Fedora `uses_boot_loader_entries`        `/boot/loader/entries/*.conf`       `/etc/default/grub`     (`bootc`: `kargs.d/*.toml`)
@@ -21,6 +23,31 @@
   Ubuntu          `uses_grub_cfg`                    `/boot/grub/grub.cfg`               `/etc/default/grub`     `/etc/default/grub.d/*.cfg`
                   `uses_etc_default_grub_d`          (args on `vmlinuz` lines)
 
+  LONG DESCRIPTION (text equivalent of the table):
+
+    RHEL 9+, Fedora:
+      Flags: `uses_boot_loader_entries`
+      Boot entries: `/boot/loader/entries/*.conf` (args on `options` line)
+      Persistent config: `/etc/default/grub`
+      Other: `bootc` systems use `/usr/lib/bootc/kargs.d/*.toml` instead
+
+    RHEL 8, OL8:
+      Flags: `uses_boot_loader_entries`, `uses_kernelopts`
+      Boot entries: `/boot/loader/entries/*.conf` (args on `options` line or via
+        `$kernelopts` indirection from `/boot/grub2/grubenv`)
+      Persistent config: `/etc/default/grub`
+
+    OL7:
+      Flags: `uses_grub_cfg`
+      Boot entries: `/boot/grub2/grub.cfg` (args on `vmlinuz` lines)
+      Persistent config: `/etc/default/grub`
+
+    Ubuntu:
+      Flags: `uses_grub_cfg`, `uses_etc_default_grub_d`
+      Boot entries: `/boot/grub/grub.cfg` (args on `vmlinuz` lines)
+      Persistent config: `/etc/default/grub`
+      Other: `/etc/default/grub.d/*.cfg` (drop-in config files)
+
   WHAT THIS TEMPLATE DOES:
   ========================
 
@@ -116,6 +143,9 @@
   (`IS bootc` / `NOT bootc`) ensure the wrong branch always fails.
   Products without `bootc` support emit only the normal `grub` branch.
 
+  [VISUAL TREE: indented AND/OR hierarchy showing the two branches (Image Mode vs.
+  normal grub) and all sub-checks within the normal grub branch.]
+
   definition (OR) -- passes if EITHER branch matches the system
   |
   +-- [Image Mode] AND (bootable_containers_supported)
@@ -146,13 +176,49 @@
                   |   (+ `grub.d` drop-in on Ubuntu)
                   +-- `GRUB_DISABLE_RECOVERY=true`
 
+  LONG DESCRIPTION (text equivalent of the criteria tree):
+
+    The definition passes (compliant) if EITHER of two branches is true:
+
+    Branch 1 -- Image Mode (only emitted when `bootable_containers_supported`):
+      Both must be true:
+        - The system IS a `bootc` deployment.
+        - `/usr/lib/bootc/kargs.d/*.toml` contains `arg=value`.
+
+    Branch 2 -- normal grub:
+      All of the following must be true:
+        - The system is NOT a `bootc` deployment (guard; only when `bootable_containers_supported`).
+        - [RHEL 8 / OL8, `uses_kernelopts`]:
+            EACH `/boot/loader/entries/*.conf` (excluding rescue) has `arg=value`
+            on its `options` line, OR contains `$kernelopts`.
+            AND EITHER no entry references `$kernelopts` (so `grubenv` is irrelevant),
+            OR `{grub2_boot_path}/grubenv` contains `arg=value`.
+        - [RHEL 9+ / Fedora, `uses_boot_loader_entries` without `uses_kernelopts`]:
+            EACH `/boot/loader/entries/*.conf` (excluding rescue) has `arg=value`
+            on its `options` line.
+        - [OL7 / Ubuntu, `uses_grub_cfg`]:
+            `{grub2_boot_path}/grub.cfg` has `arg=value` (BIOS path, or UEFI path if separate).
+        - [all products]:
+            EITHER `GRUB_CMDLINE_LINUX` in `/etc/default/grub` has `arg=value`
+              (plus `grub.d` drop-in on Ubuntu),
+            OR BOTH `GRUB_CMDLINE_LINUX_DEFAULT` has `arg=value`
+              (plus `grub.d` drop-in on Ubuntu)
+              AND `GRUB_DISABLE_RECOVERY=true`.
+
+    Only the sub-checks relevant to the product (controlled by `uses_*` flags) are emitted.
+    Branches 1 and 2 are mutually exclusive at runtime due to the `IS bootc` / `NOT bootc` guards.
+
   DATA FLOW:
   ==========
 
   Each object extracts the FULL line (or array) as `subexpression`.
   Each state uses `pattern match` to check if `arg=value` appears in that captured text.
   All `grub`-location tests share one state; `bootc` has its own (quotes around value).
 
+  [VISUAL DIAGRAM: 6 object boxes on the left (one per config file location) with
+  arrows pointing to 3 state boxes on the right (shared grub state, bootc state,
+  and kernelopts state). Shows which objects feed which states.]
+
   OBJECTS                                       STATES
   ═══════                                       ══════
 
@@ -211,16 +277,86 @@
   (uses_kernelopts) -- additional state used with `state_operator="OR"`:
   ┌─ state_grub2_{ARG}_argument_is_kernelopts ─┐
   │  ^(?:.*\s)?\$kernelopts(?:\s.*)?$           │
-  │  Matches `$kernelopts` as a word.           │
-  │  The RHEL 8 BLS test references BOTH        │
-  │  `state_argument` and this state with OR:   │
-  │  entry passes if it has arg=value OR        │
-  │  contains `$kernelopts`.                    │
-  │  (Same flag as the `grubenv` object --      │
-  │  both exist only when `$kernelopts`         │
-  │  indirection is in play.)                   │
+  │                                             │
+  │  Pattern match: is `$kernelopts` present    │
+  │  as a standalone word in the captured       │
+  │  `options` line from                        │
+  │  `/boot/loader/entries/*.conf`?             │
+  │                                             │
+  │  The RHEL 8 BLS test applies BOTH           │
+  │  `state_grub2_{ARG}_argument` and this      │
+  │  state with `state_operator="OR"`:          │
+  │  an entry passes if its `options` line      │
+  │  contains `{ARG_NAME_VALUE}` OR contains    │
+  │  `$kernelopts`.                             │
+  │                                             │
+  │  Same `uses_kernelopts` flag as the         │
+  │  `{grub2_boot_path}/grubenv` object --      │
+  │  both exist only on RHEL 8 / OL8.           │
   └─────────────────────────────────────────────┘
 
+  LONG DESCRIPTION (text equivalent of the diagram; same information, no box-drawing):
+  ──────────────────────────────────────────────────────────────────────────────────────
+
+  There are 6 objects (data collectors) and 3 states (pass/fail conditions).
+
+  OBJECTS -- each extracts a line of text from a config file:
+
+    A. `/boot/loader/entries/*.conf` (flag: `uses_boot_loader_entries`)
+       OVAL element: `<ind:path>` + `<ind:filename operation="pattern match">`
+       Pattern: `^options (.*)$` -- captures the kernel arg list after `options `.
+       Filter: excludes filenames matching `*rescue.conf`.
+       Tested against: `state_grub2_{ARG}_argument`.
+
+    B. `{grub2_boot_path}/grubenv` (flag: `uses_kernelopts`)
+       OVAL element: `<ind:filepath>`
+       Pattern: `^kernelopts=(.*)$` -- captures the arg list after `kernelopts=`.
+       Tested against: `state_grub2_{ARG}_argument`.
+
+    C. `{grub2_boot_path}/grub.cfg` (flag: `uses_grub_cfg`)
+       OVAL element: `<ind:filepath>`
+       Pattern: `^.*/vmlinuz.*(root=.*)$` -- captures from `root=` to end of line.
+       Tested against: `state_grub2_{ARG}_argument`.
+
+    D. `/etc/default/grub` (all products)
+       OVAL element: `<ind:filepath>`
+       Pattern: `^\s*GRUB_CMDLINE_LINUX="(.*)"$` -- captures contents between quotes.
+       Same pattern repeated for `GRUB_CMDLINE_LINUX_DEFAULT`.
+       Tested against: `state_grub2_{ARG}_argument`.
+
+    E. `/etc/default/grub.d/*.cfg` (flag: `uses_etc_default_grub_d` / Ubuntu)
+       OVAL element: `<ind:filepath operation="pattern match">`
+       Pattern: same as D.
+       Same pattern repeated for `GRUB_CMDLINE_LINUX_DEFAULT`.
+       Tested against: `state_grub2_{ARG}_argument`.
+
+    F. `/usr/lib/bootc/kargs.d/*.toml` (flag: `bootable_containers_supported`)
+       OVAL element: `<ind:path>` + `<ind:filename operation="pattern match">`
+       Pattern: `^kargs = \[([^\]]+)\]$` -- captures array contents between brackets.
+       Tested against: `state_grub2_{ARG}_usr_lib_bootc_kargs_d`.
+
+  STATES -- each applies a regex to the captured text:
+
+    1. `state_grub2_{ARG}_argument` (shared by objects A through E)
+       Regex: `^(?:.*\s)?{ARG_NAME_VALUE}(?:\s.*)?$`
+       Question: is `{ARG_NAME_VALUE}` present as a standalone word (bounded by
+       whitespace or start/end of string)?
+       When `ARG_VARIABLE` is set, the regex is assembled at runtime: `oscap` reads
+       the value from the `XCCDF` profile, a `local_variable` concatenates it into
+       the regex pattern, and the state references it via `var_ref`.
+
+    2. `state_grub2_{ARG}_usr_lib_bootc_kargs_d` (used by object F only)
+       Regex: `^.*"{ARG_NAME_VALUE}".*$`
+       Question: is `"{ARG_NAME_VALUE}"` present anywhere (with surrounding quotes,
+       as per `TOML` syntax)?
+
+    3. `state_grub2_{ARG}_argument_is_kernelopts` (flag: `uses_kernelopts`)
+       Regex: `^(?:.*\s)?\$kernelopts(?:\s.*)?$`
+       Question: is `$kernelopts` present as a standalone word?
+       Used ONLY by the RHEL 8 BLS test, which applies both state 1 and state 3
+       with `state_operator="OR"`: an entry passes if it contains `{ARG_NAME_VALUE}`
+       OR contains `$kernelopts`.
+
   REGEX SEMANTICS (what each `pattern` captures as `subexpression`):
   ─────────────────────────────────────────────────────────────────
 
